The document discusses block ciphers and the Data Encryption Standard (DES). It begins by explaining the differences between block ciphers and stream ciphers. It then covers the principles of Feistel ciphers and their structure, using DES as a specific example. DES encryption, decryption, and key scheduling are described. The document also discusses attacks on DES like differential and linear cryptanalysis. It concludes by covering modern block cipher design principles.
This document summarizes a chapter about the Data Encryption Standard (DES). It provides an overview of DES, describing it as a symmetric-key block cipher developed by IBM and adopted by the National Institute of Standards and Technology. The chapter then goes into details about the structure and design of DES, including its use of an initial and final permutation, 16 rounds of encryption using subkey values, and weaknesses like its short key length. It also discusses analyses of DES security, noting brute force, differential cryptanalysis, and linear cryptanalysis as potential attack methods.
Block ciphers like DES encrypt data in blocks and are based on the Feistel cipher structure. DES encrypts 64-bit blocks using a 56-bit key and 16 rounds of encryption. Modern cryptanalysis techniques like differential and linear cryptanalysis use statistical analysis to reveal weaknesses in block ciphers, though DES remains relatively secure against these attacks. Careful design of block ciphers, including aspects like non-linear substitution boxes and complex key scheduling, aims to provide security against cryptanalysis.
In cryptography, a block cipher is a deterministic algorithm operating on ... Systems as a means to effectively improve security by combining simple operations such as .... Finally, the cipher should be easily cryptanalyzable, such that it can be ...
Symmetric encryption and message confidentialityCAS
Symmetric Encryption Principles
Data Encryption Standard
Advanced Encryption Standard
Stream Ciphers and RC4
Cipher Block Modes of Operation
Key Distribution
this presentation is on block cipher modes which are used for encryption and decryption to any message.That are Defined by the National Institute of Standards and Technology . Block cipher modes of operation are part of symmetric key encryption algorithm.
i hope you may like this.
Transport Layer Security (TLS) is the successor to the Secure Sockets Layer (SSL) protocol. TLS ensures privacy and security between communicating applications and users on the internet by preventing eavesdropping, tampering, and message forgery. It works by having the client and server negotiate a cipher suite and protocol version to use to securely transmit encrypted messages. This establishes a secure channel over an unsecured network like the internet to provide confidentiality, integrity, and authentication of communications.
This document discusses block ciphers, including their definition, structure, design principles, and avalanche effect. A block cipher operates on fixed-length blocks of bits and uses a symmetric key. It encrypts bits in blocks rather than one by one. Block ciphers have advantages like high diffusion but are slower than stream ciphers. They are built using the Feistel cipher structure with a number of rounds and keys. Important design principles for block ciphers include the number of rounds, design of the round function, and key schedule algorithm. The avalanche effect causes a small input change to result in a significant output change.
This document summarizes a chapter about the Data Encryption Standard (DES). It provides an overview of DES, describing it as a symmetric-key block cipher developed by IBM and adopted by the National Institute of Standards and Technology. The chapter then goes into details about the structure and design of DES, including its use of an initial and final permutation, 16 rounds of encryption using subkey values, and weaknesses like its short key length. It also discusses analyses of DES security, noting brute force, differential cryptanalysis, and linear cryptanalysis as potential attack methods.
Block ciphers like DES encrypt data in blocks and are based on the Feistel cipher structure. DES encrypts 64-bit blocks using a 56-bit key and 16 rounds of encryption. Modern cryptanalysis techniques like differential and linear cryptanalysis use statistical analysis to reveal weaknesses in block ciphers, though DES remains relatively secure against these attacks. Careful design of block ciphers, including aspects like non-linear substitution boxes and complex key scheduling, aims to provide security against cryptanalysis.
In cryptography, a block cipher is a deterministic algorithm operating on ... Systems as a means to effectively improve security by combining simple operations such as .... Finally, the cipher should be easily cryptanalyzable, such that it can be ...
Symmetric encryption and message confidentialityCAS
Symmetric Encryption Principles
Data Encryption Standard
Advanced Encryption Standard
Stream Ciphers and RC4
Cipher Block Modes of Operation
Key Distribution
this presentation is on block cipher modes which are used for encryption and decryption to any message.That are Defined by the National Institute of Standards and Technology . Block cipher modes of operation are part of symmetric key encryption algorithm.
i hope you may like this.
Transport Layer Security (TLS) is the successor to the Secure Sockets Layer (SSL) protocol. TLS ensures privacy and security between communicating applications and users on the internet by preventing eavesdropping, tampering, and message forgery. It works by having the client and server negotiate a cipher suite and protocol version to use to securely transmit encrypted messages. This establishes a secure channel over an unsecured network like the internet to provide confidentiality, integrity, and authentication of communications.
This document discusses block ciphers, including their definition, structure, design principles, and avalanche effect. A block cipher operates on fixed-length blocks of bits and uses a symmetric key. It encrypts bits in blocks rather than one by one. Block ciphers have advantages like high diffusion but are slower than stream ciphers. They are built using the Feistel cipher structure with a number of rounds and keys. Important design principles for block ciphers include the number of rounds, design of the round function, and key schedule algorithm. The avalanche effect causes a small input change to result in a significant output change.
This document provides an overview of Kerberos, including:
- Kerberos is an authentication protocol that uses symmetric encryption and timestamps to allow nodes communicating over an insecure network to verify each other's identity securely.
- It works by having a client first authenticate with an authentication server to obtain a ticket-granting ticket, then uses that ticket to obtain additional tickets for access to other services.
- Kerberos addresses the need for secure authentication in distributed network environments where the workstations themselves cannot be fully trusted.
Symmetric Key Encryption Algorithms can be categorized as stream ciphers or block ciphers. Block ciphers like the Data Encryption Standard (DES) operate on fixed-length blocks of bits, while stream ciphers process messages bit-by-bit. DES is an example of a block cipher that encrypts 64-bit blocks using a 56-bit key. International Data Encryption Algorithm (IDEA) is another block cipher that uses a 128-bit key and 64-bit blocks, employing addition and multiplication instead of XOR like DES. IDEA consists of 8 encryption rounds followed by an output transformation to generate the ciphertext from the plaintext and key.
WEP (Wired Equivalent Privacy) was the original security protocol for 802.11 wireless networks. It uses RC4 encryption with a weak 40-bit key. WEP has significant flaws like small keys, key reuse, and IV reuse that allow attackers to decrypt packets and compromise networks. While it provides some protection, WEP is insecure and better alternatives like WPA or IPsec should be used to securely encrypt wireless traffic.
DES was developed as a standard for communications and data protection by an IBM research team in response to a request from the National Bureau of Standards (now called NIST). DES uses the techniques of confusion and diffusion achieved through numerous permutations and the XOR operation. The basic DES process encrypts a 64-bit block using a 56-bit key over 16 complex rounds consisting of permutations and key-dependent calculations. Triple DES was developed as a more secure version of DES.
The document discusses classical encryption techniques, including symmetric encryption which uses the same key for encryption and decryption. It describes ciphers like the Caesar cipher which substitutes letters by shifting the alphabet, the monoalphabetic cipher with one substitution table, and the polyalphabetic Vigenère cipher which uses multiple substitution alphabets. The document also covers the Playfair cipher which encrypts letters in pairs using a 5x5 keyword matrix, and discusses cryptanalysis techniques for breaking classical ciphers.
An introduction to asymmetric cryptography with an in-depth look at RSA, Diffie-Hellman, the FREAK and LOGJAM attacks on TLS/SSL, and the "Mining your P's and Q's attack".
The document provides an overview of the Advanced Encryption Standard (AES) algorithm. It defines key terms like block, state, and XOR used in AES. It then describes the AES algorithm which works by repeating rounds that include byte substitution, shifting rows, mixing columns, and adding a round key. The number of rounds depends on the key size, being 10 for a 16-byte key and 14 for a 32-byte key. Encryption and decryption are similar processes performed in reverse order.
1. The document discusses network security and provides details about stream ciphers and block ciphers. It explains how each type of cipher works and provides examples of each.
2. Details are given about the Feistel cipher structure and how it provides diffusion and confusion through repeated rounds. The Data Encryption Standard (DES) algorithm is described as a prominent example of a Feistel cipher.
3. Principles of block cipher design are outlined, emphasizing the importance of number of rounds, design of the round function F, and the key schedule algorithm in providing security.
This document describes a student project to implement the Advanced Encryption Standard (AES) in Verilog. AES is a symmetric block cipher that uses 128-bit blocks and 128/192/256-bit keys. The project aims to develop optimized and synthesizable Verilog code to encrypt and decrypt 128-bit data using AES. The document provides background on cryptography, AES, and its algorithm which includes key expansion, substitution, transposition, and mixing operations. It also outlines the implementation, encryption, decryption, and performance estimation aspects of the project.
4. The Advanced Encryption Standard (AES)Sam Bowne
A lecture for a college course -- CNIT 140: Cryptography for Computer Networks at City College San Francisco
Based on "Understanding Cryptography: A Textbook for Students and Practitioners" by Christof Paar, Jan Pelzl, and Bart Preneel, ISBN: 3642041000
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_F17.shtml
The document discusses symmetric key cryptography. It begins with an introduction to cryptography and encryption techniques like substitution ciphers. It then covers symmetric encryption in more detail, explaining block ciphers like DES and AES, as well as modes of operation like ECB, CBC, and OFB. It provides an example Java implementation of AES encryption and decryption. It also briefly covers stream ciphers like RC4 and the concept of steganography.
SHA-512 is a cryptographic hash function that produces a 512-bit hash value. It is part of the SHA-2 family and was developed by the National Institute of Standards and Technology. SHA-512 operates by processing message blocks through 80 rounds of computations that include word expansion, compression, and round functions to update digest values. It is commonly used to authenticate files and for password hashing.
SHA - 256 Algorithm is an concept of Block Chain Technology . It is an Hashing method, Hashing is the process of scrambling raw information to the extent that it cannot reproduce it back to its original form. SHA-256 is a part of the SHA 2 family of algorithms, where SHA stands for Secure Hash Algorithm. Published in 2001. It's applications include hash tables, integrity verification, challenge handshake authentication, digital signatures, etc.I have also given an complete solved example of this algorithm.
This document discusses cryptographic hash functions including their applications in message authentication and digital signatures. It describes the requirements for hash functions to be secure including resistance to brute force attacks and cryptanalysis. The document outlines some simple hash functions and provides details on the Secure Hash Algorithm (SHA) family of cryptographic hash functions used in standards like SHA-512 which operates on 1024-bit blocks through 80 rounds. It also mentions NIST's selection of the Keccak algorithm as the new SHA-3 standard.
This document discusses conventional encryption principles and algorithms. It covers the following key points:
1) Conventional encryption uses an encryption algorithm, secret key, and decryption algorithm to encrypt plaintext into ciphertext and decrypt ciphertext back to plaintext. The security depends on keeping the key secret, not the algorithm.
2) Common symmetric encryption algorithms discussed include DES, Triple DES, Blowfish, RC5, and CAST-128. Key sizes and number of rounds are important parameters for security.
3) Modes of operation like cipher block chaining are used to encrypt blocks of plaintext. Encryption can be done at the link level, end-to-end, or both for added security.
4)
Substitution cipher and Its CryptanalysisSunil Meena
Substitution Cipher
classical cipher and monoalphabetic and polyalphabetic cipher and its cryptanalysis . Correctness and security and learning analysis
This document summarizes key concepts about block ciphers and the Data Encryption Standard (DES) cipher. It introduces block ciphers and how they operate on message blocks, describes the Feistel cipher structure and its design principles, and provides details on the DES algorithm including its history, design, encryption process, key schedule, and analysis of its security strengths and weaknesses over time. Differential and linear cryptanalysis attacks on block ciphers are also summarized.
This document provides an overview of Kerberos, including:
- Kerberos is an authentication protocol that uses symmetric encryption and timestamps to allow nodes communicating over an insecure network to verify each other's identity securely.
- It works by having a client first authenticate with an authentication server to obtain a ticket-granting ticket, then uses that ticket to obtain additional tickets for access to other services.
- Kerberos addresses the need for secure authentication in distributed network environments where the workstations themselves cannot be fully trusted.
Symmetric Key Encryption Algorithms can be categorized as stream ciphers or block ciphers. Block ciphers like the Data Encryption Standard (DES) operate on fixed-length blocks of bits, while stream ciphers process messages bit-by-bit. DES is an example of a block cipher that encrypts 64-bit blocks using a 56-bit key. International Data Encryption Algorithm (IDEA) is another block cipher that uses a 128-bit key and 64-bit blocks, employing addition and multiplication instead of XOR like DES. IDEA consists of 8 encryption rounds followed by an output transformation to generate the ciphertext from the plaintext and key.
WEP (Wired Equivalent Privacy) was the original security protocol for 802.11 wireless networks. It uses RC4 encryption with a weak 40-bit key. WEP has significant flaws like small keys, key reuse, and IV reuse that allow attackers to decrypt packets and compromise networks. While it provides some protection, WEP is insecure and better alternatives like WPA or IPsec should be used to securely encrypt wireless traffic.
DES was developed as a standard for communications and data protection by an IBM research team in response to a request from the National Bureau of Standards (now called NIST). DES uses the techniques of confusion and diffusion achieved through numerous permutations and the XOR operation. The basic DES process encrypts a 64-bit block using a 56-bit key over 16 complex rounds consisting of permutations and key-dependent calculations. Triple DES was developed as a more secure version of DES.
The document discusses classical encryption techniques, including symmetric encryption which uses the same key for encryption and decryption. It describes ciphers like the Caesar cipher which substitutes letters by shifting the alphabet, the monoalphabetic cipher with one substitution table, and the polyalphabetic Vigenère cipher which uses multiple substitution alphabets. The document also covers the Playfair cipher which encrypts letters in pairs using a 5x5 keyword matrix, and discusses cryptanalysis techniques for breaking classical ciphers.
An introduction to asymmetric cryptography with an in-depth look at RSA, Diffie-Hellman, the FREAK and LOGJAM attacks on TLS/SSL, and the "Mining your P's and Q's attack".
The document provides an overview of the Advanced Encryption Standard (AES) algorithm. It defines key terms like block, state, and XOR used in AES. It then describes the AES algorithm which works by repeating rounds that include byte substitution, shifting rows, mixing columns, and adding a round key. The number of rounds depends on the key size, being 10 for a 16-byte key and 14 for a 32-byte key. Encryption and decryption are similar processes performed in reverse order.
1. The document discusses network security and provides details about stream ciphers and block ciphers. It explains how each type of cipher works and provides examples of each.
2. Details are given about the Feistel cipher structure and how it provides diffusion and confusion through repeated rounds. The Data Encryption Standard (DES) algorithm is described as a prominent example of a Feistel cipher.
3. Principles of block cipher design are outlined, emphasizing the importance of number of rounds, design of the round function F, and the key schedule algorithm in providing security.
This document describes a student project to implement the Advanced Encryption Standard (AES) in Verilog. AES is a symmetric block cipher that uses 128-bit blocks and 128/192/256-bit keys. The project aims to develop optimized and synthesizable Verilog code to encrypt and decrypt 128-bit data using AES. The document provides background on cryptography, AES, and its algorithm which includes key expansion, substitution, transposition, and mixing operations. It also outlines the implementation, encryption, decryption, and performance estimation aspects of the project.
4. The Advanced Encryption Standard (AES)Sam Bowne
A lecture for a college course -- CNIT 140: Cryptography for Computer Networks at City College San Francisco
Based on "Understanding Cryptography: A Textbook for Students and Practitioners" by Christof Paar, Jan Pelzl, and Bart Preneel, ISBN: 3642041000
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_F17.shtml
The document discusses symmetric key cryptography. It begins with an introduction to cryptography and encryption techniques like substitution ciphers. It then covers symmetric encryption in more detail, explaining block ciphers like DES and AES, as well as modes of operation like ECB, CBC, and OFB. It provides an example Java implementation of AES encryption and decryption. It also briefly covers stream ciphers like RC4 and the concept of steganography.
SHA-512 is a cryptographic hash function that produces a 512-bit hash value. It is part of the SHA-2 family and was developed by the National Institute of Standards and Technology. SHA-512 operates by processing message blocks through 80 rounds of computations that include word expansion, compression, and round functions to update digest values. It is commonly used to authenticate files and for password hashing.
SHA - 256 Algorithm is an concept of Block Chain Technology . It is an Hashing method, Hashing is the process of scrambling raw information to the extent that it cannot reproduce it back to its original form. SHA-256 is a part of the SHA 2 family of algorithms, where SHA stands for Secure Hash Algorithm. Published in 2001. It's applications include hash tables, integrity verification, challenge handshake authentication, digital signatures, etc.I have also given an complete solved example of this algorithm.
This document discusses cryptographic hash functions including their applications in message authentication and digital signatures. It describes the requirements for hash functions to be secure including resistance to brute force attacks and cryptanalysis. The document outlines some simple hash functions and provides details on the Secure Hash Algorithm (SHA) family of cryptographic hash functions used in standards like SHA-512 which operates on 1024-bit blocks through 80 rounds. It also mentions NIST's selection of the Keccak algorithm as the new SHA-3 standard.
This document discusses conventional encryption principles and algorithms. It covers the following key points:
1) Conventional encryption uses an encryption algorithm, secret key, and decryption algorithm to encrypt plaintext into ciphertext and decrypt ciphertext back to plaintext. The security depends on keeping the key secret, not the algorithm.
2) Common symmetric encryption algorithms discussed include DES, Triple DES, Blowfish, RC5, and CAST-128. Key sizes and number of rounds are important parameters for security.
3) Modes of operation like cipher block chaining are used to encrypt blocks of plaintext. Encryption can be done at the link level, end-to-end, or both for added security.
4)
Substitution cipher and Its CryptanalysisSunil Meena
Substitution Cipher
classical cipher and monoalphabetic and polyalphabetic cipher and its cryptanalysis . Correctness and security and learning analysis
This document summarizes key concepts about block ciphers and the Data Encryption Standard (DES) cipher. It introduces block ciphers and how they operate on message blocks, describes the Feistel cipher structure and its design principles, and provides details on the DES algorithm including its history, design, encryption process, key schedule, and analysis of its security strengths and weaknesses over time. Differential and linear cryptanalysis attacks on block ciphers are also summarized.
Module 1-Block Ciphers and the Data Encryption Standard.pptxSridharCS7
Block ciphers like DES encrypt data in blocks and are based on the Feistel cipher structure. DES uses a 56-bit key to encrypt 64-bit blocks through 16 rounds of substitution and permutation. Modern cryptanalysis techniques like differential and linear cryptanalysis exploit weak points in ciphers' structure, but DES remains reasonably resistant due to its design criteria. Proper block cipher design focuses on aspects like nonlinear round functions, complex subkey generation, and diffusion to withstand analytic attacks.
This document discusses block ciphers and the Data Encryption Standard (DES). It explains that block ciphers encrypt data in blocks, while stream ciphers encrypt data bit-by-bit. DES is a symmetric block cipher that uses a Feistel network structure with 16 rounds to encrypt 64-bit blocks. Each round uses a 48-bit subkey and includes substitution via S-boxes and permutation. Modern cryptanalysis techniques like differential and linear cryptanalysis can potentially break DES, highlighting the need for newer block cipher designs.
The document discusses the Data Encryption Standard (DES) and its encryption process. It then summarizes the Rijndael cipher, which was selected as the Advanced Encryption Standard (AES) in 2001. The AES uses a block cipher structure of iterative rounds involving byte substitution, shifting rows of bytes, mixing columns of bytes, and adding round keys.
This document provides an overview of block ciphers and the Data Encryption Standard (DES) algorithm. It begins with definitions of stream ciphers and block ciphers. It then discusses the principles of confusion and diffusion in encryption algorithms. The document introduces the Feistel cipher structure and how it was developed based on Claude Shannon's work. It provides details on the DES algorithm, including its history, design, encryption process using rounds and subkeys, decryption process, and the avalanche effect property.
This document summarizes Chapter 3 of the textbook "Cryptography and Network Security" by William Stallings. It discusses block ciphers and the Data Encryption Standard (DES). Specifically, it provides an overview of modern block ciphers and DES, including the history and design of DES, how it works using a Feistel cipher structure, and analyses of the strength and security of DES. It also covers differential cryptanalysis as an analytic attack against block ciphers like DES.
This document provides an overview of the AES (Advanced Encryption Standard) cryptographic algorithm. It discusses the origins and development of AES, including the competition that led to Rijndael being selected. The basic structure and conceptual scheme of AES is described as involving multiple rounds of transformations including SubBytes, ShiftRows, MixColumns and AddRoundKey. Details are then provided on each of the round transformations and how they provide confusion and diffusion in the cipher. The security of AES is noted to be stronger than DES due to its larger key size and resistance to known attacks like brute force, differential and linear cryptanalysis.
This document summarizes the key aspects of cryptanalysis and the Data Encryption Standard (DES) algorithm. It discusses the tasks of a cryptanalyst in breaking encryption systems and outlines the basic structure and operation of DES. DES encrypts 64-bit blocks using a 56-bit key and 16 rounds of encryption. Each round uses a 48-bit subkey and the Feistel network structure to provide diffusion and confusion. The document also notes concerns about the cryptographic strength of DES' 56-bit keys and 8 substitution boxes against attacks over time.
This document summarizes a chapter about block ciphers and the Data Encryption Standard (DES) from the textbook "Cryptography and Network Security". It begins by defining block ciphers and differentiating them from stream ciphers. It then explains the Feistel cipher structure used in many symmetric block ciphers, including the concepts of confusion and diffusion. The document focuses on DES, describing its design, encryption process using Feistel rounds and subkeys, and analyses of its security including differential and linear cryptanalysis. It concludes by noting basic design principles for block ciphers.
Information and data security block cipher and the data encryption standard (...Mazin Alwaaly
Block ciphers like DES encrypt data in fixed-size blocks and use symmetric encryption keys. DES is a 64-bit block cipher that uses a 56-bit key. It employs a Feistel network structure with 16 rounds to provide diffusion and confusion of the plaintext block. Each round uses subkey-dependent substitution boxes and permutation functions. While DES was widely adopted, cryptanalysis techniques showed it could be broken with less than 256 tries, making the key size too short by modern standards.
This document discusses block ciphers and summarizes the Data Encryption Standard (DES) algorithm. It introduces block ciphers and the Feistel structure used in many modern block ciphers. It then describes the DES algorithm in detail, including its 56-bit key, 64-bit block size, Feistel structure using substitution boxes and round keys, and vulnerability to brute force attacks. It also summarizes triple DES which strengthens DES security by using 168-bit keys.
The document discusses stream ciphers and block ciphers. It explains that stream ciphers encrypt data bit-by-bit or byte-by-byte, requiring a randomly generated keystream, while block ciphers encrypt fixed-length blocks, allowing for broader applications. It then focuses on the Feistel cipher structure for block ciphers, proposed by Feistel to approximate an ideal block cipher for large block sizes. The Feistel structure uses a product cipher approach involving substitutions and permutations to provide diffusion and confusion and resist statistical cryptanalysis.
This document discusses block ciphers and provides details about the Data Encryption Standard (DES). It explains that block ciphers like DES operate on fixed-size blocks of plaintext, while stream ciphers operate on plaintext one bit or byte at a time. DES is based on a Feistel cipher structure, which partitions the data block into halves that are swapped and transformed over multiple rounds using subkeys derived from the main key. The DES algorithm, key schedule, and encryption/decryption process are described. Cryptanalytic attacks on DES like differential and linear cryptanalysis are also summarized.
Jaimin chp-8 - network security-new -use this - 2011 batchJaimin Jani
The document discusses cryptography concepts including symmetric and asymmetric encryption algorithms like DES, AES, RSA. It explains the basic working principles of RSA including key generation using large prime numbers, modular arithmetic and the concept of one-way functions that make private key derivation difficult. It also covers cryptographic modes of operation like ECB, CBC that are used to encrypt data blocks of arbitrary length.
This document provides a tutorial on linear and differential cryptanalysis. It summarizes the attacks and applies them to a simple substitution-permutation network cipher as an example. The tutorial explains how to construct linear expressions to exploit the nonlinear properties of the cipher's S-boxes. It also introduces the "piling-up principle", which shows that combining independent biased variables results in a cumulative bias according to a simple formula. The overall goal is to provide an intuitive explanation of these cryptanalysis techniques for novice cryptanalysts.
This document provides an overview of the Data Encryption Standard (DES) block cipher. It describes how DES uses a Feistel network structure with 16 rounds to encrypt 64-bit blocks. Each round uses a 48-bit subkey generated from the original 56-bit key. The round function includes expansion, XOR with the subkey, substitution via S-boxes, and permutation. DES decryption is identical to encryption except the subkeys are used in reverse order. The document also discusses properties like avalanche effect and how small changes in plaintext/key result in large changes in ciphertext.
This document provides an overview of the Data Encryption Standard (DES) block cipher. It discusses how DES uses a Feistel network structure with 16 rounds to encrypt 64-bit blocks. Each round uses a 48-bit subkey generated from the original 56-bit key. The document also summarizes analyses of DES's security, noting that while it remains uncompromised, dedicated hardware has broken it in days and differential cryptanalysis provides a theoretical attack in 247 steps. Overall, the document gives a high-level technical introduction to the DES standard and analyses of its security.
This document provides an overview of the Data Encryption Standard (DES) block cipher. It discusses how DES uses a Feistel network structure with 16 rounds to encrypt 64-bit blocks. Each round uses a 48-bit subkey generated from the original 56-bit key. The document also summarizes analyses of DES's security, noting that while it remains uncompromised, dedicated hardware has broken it in days and differential cryptanalysis provides a theoretical attack in 247 steps.
This document provides an overview of the Data Encryption Standard (DES) block cipher. It discusses how DES uses a Feistel network structure with 16 rounds to encrypt 64-bit blocks. Each round uses a 48-bit subkey generated from the original 56-bit key. The document also summarizes analyses of DES's security, noting that while it remains uncompromised, dedicated hardware has broken it in days and differential cryptanalysis provides a theoretical attack in 247 steps. Overall, the document gives a high-level technical introduction to the DES standard and analyses of its security.
Similar to cryptography and network security chap 3 (20)
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
2. Chapter 3 – Block Ciphers and
the Data Encryption Standard
All the afternoon Mungo had been working on
Stern's code, principally with the aid of the latest
messages which he had copied down at the
Nevin Square drop. Stern was very confident.
He must be well aware London Central knew
about that drop. It was obvious that they didn't
care how often Mungo read their messages, so
confident were they in the impenetrability of the
code.
—Talking to Strange Men, Ruth Rendell
3. Modern Block Ciphers
now look at modern block ciphers
one of the most widely used types of
cryptographic algorithms
provide secrecy /authentication services
focus on DES (Data Encryption Standard)
to illustrate block cipher design principles
4. Block vs Stream Ciphers
block ciphers process messages in
blocks, each of which is then en/decrypted
like a substitution on very big characters
64-bits or more
stream ciphers
process messages a bit or
byte at a time when en/decrypting
many current ciphers are block ciphers
better analysed
broader range of applications
6. Block Cipher Principles
most symmetric block ciphers are based on a
Feistel Cipher Structure
needed since must be able to decrypt ciphertext
to recover messages efficiently
block ciphers look like an extremely large
substitution
would need table of 264 entries for a 64-bit block
instead create from smaller building blocks
using idea of a product cipher
8. Claude Shannon and SubstitutionPermutation Ciphers
Claude Shannon introduced idea of substitutionpermutation (S-P) networks in 1949 paper
form basis of modern block ciphers
S-P nets are based on the two primitive
cryptographic operations seen before:
substitution (S-box)
permutation (P-box)
provide confusion & diffusion of message & key
9. Confusion and Diffusion
cipher needs to completely obscure
statistical properties of original message
a one-time pad does this
more practically Shannon suggested
combining S & P elements to obtain:
diffusion – dissipates statistical structure
of plaintext over bulk of ciphertext
confusion – makes relationship between
ciphertext and key as complex as possible
10. Feistel Cipher Structure
Horst Feistel devised the
feistel cipher
based on concept of invertible product cipher
partitions input block into two halves
process through multiple rounds which
perform a substitution on left data half
based on round function of right half & subkey
then have permutation swapping halves
implements Shannon’s S-P net concept
12. Feistel Cipher Design Elements
block size
key size
number of rounds
subkey generation algorithm
round function
fast software en/decryption
ease of analysis
13. Data Encryption Standard (DES)
most widely used block cipher in world
adopted in 1977 by NBS (now NIST)
as FIPS PUB 46
encrypts 64-bit data using 56-bit key
has widespread use
has been considerable controversy over
its security
14. DES History
IBM developed Lucifer cipher
by team led by Feistel in late 60’s
used 64-bit data blocks with 128-bit key
then redeveloped as a commercial cipher
with input from NSA and others
in 1973 NBS issued request for proposals
for a national cipher standard
IBM submitted their revised Lucifer which
was eventually accepted as the DES
15. DES Design Controversy
although DES standard is public
was considerable controversy over design
in choice of 56-bit key (vs Lucifer 128-bit)
and because design criteria were classified
subsequent events and public analysis
show in fact design was appropriate
use of DES has flourished
especially in financial applications
still standardised for legacy application use
17. Initial Permutation IP
first step of the data computation
IP reorders the input data bits
even bits to LH half, odd bits to RH half
quite regular in structure (easy in h/w)
example:
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
18. DES Round Structure
uses two 32-bit L & R halves
as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 ⊕ F(Ri–1, Ki)
F takes 32-bit R half and 48-bit subkey:
expands R to 48-bits using perm E
adds to subkey using XOR
passes through 8 S-boxes to get 32-bit result
finally permutes using 32-bit perm P
20. Substitution Boxes S
have eight S-boxes which map 6 to 4 bits
each S-box is actually 4 little 4 bit boxes
outer bits 1 & 6 (row bits) select one row of 4
inner bits 2-5 (col bits) are substituted
result is 8 lots of 4 bits, or 32 bits
row selection depends on both data & key
feature known as autoclaving (autokeying)
example:
S(18 09 12 3d 11 17 38 39) = 5fd25e03
21. DES Key Schedule
forms subkeys used in each round
initial permutation of the key (PC1) which
selects 56-bits in two 28-bit halves
16 stages consisting of:
• rotating each half separately either 1 or 2 places
depending on the key rotation schedule K
• selecting 24-bits from each half & permuting them
by PC2 for use in round function F
note practical use issues in h/w vs s/w
22. DES Decryption
decrypt must unwind steps of data computation
with Feistel design, do encryption steps again
using subkeys in reverse order (SK16 … SK1)
IP undoes final FP step of encryption
1st round with SK16 undoes 16th encrypt round
….
16th round with SK1 undoes 1st encrypt round
then final FP undoes initial encryption IP
thus recovering original data value
25. Avalanche Effect
key desirable property of encryption alg
where a change of
one input or key bit
results in changing approx half output bits
making attempts to “home-in” by guessing
keys impossible
DES exhibits strong avalanche
26. Strength of DES – Key Size
56-bit keys have 256
= 7.2 x 1016 values
brute force search looks hard
recent advances have shown is possible
in 1997 on Internet in a few months
in 1998 on dedicated h/w (EFF) in a few days
in 1999 above combined in 22hrs!
still must be able to recognize plaintext
must now consider alternatives to DES
27. Strength of DES – Analytic
Attacks
now have several analytic attacks on DES
these utilise some deep structure of the cipher
by gathering information about encryptions
can eventually recover some/all of the sub-key bits
if necessary then exhaustively search for the rest
generally these are statistical attacks
differential cryptanalysis
linear cryptanalysis
related key attacks
28. Strength of DES – Timing
Attacks
attacks actual implementation of cipher
use knowledge of consequences of
implementation to derive information
about some/all subkey bits
specifically use fact that calculations can
take varying times depending on the value
of the inputs to it
particularly problematic on smartcards
29. Differential Cryptanalysis
one of the most significant recent (public)
advances in cryptanalysis
known by NSA in 70's cf DES design
Murphy, Biham & Shamir published in 90’s
powerful method to analyse block ciphers
used to analyse most current block
ciphers with varying degrees of success
DES reasonably resistant to it, cf Lucifer
30. Differential Cryptanalysis
a statistical attack against Feistel ciphers
uses cipher structure not previously used
design of S-P networks has output of
function f influenced by both input & key
hence cannot trace values back through
cipher without knowing value of the key
differential cryptanalysis compares two
related pairs of encryptions
31. Differential Cryptanalysis
Compares Pairs of Encryptions
with a known difference in the input
searching for a known difference in output
when same subkeys are used
32. Differential Cryptanalysis
have some input difference giving some
output difference with probability p
if find instances of some higher probability
input / output difference pairs occurring
can infer subkey that was used in round
then must iterate process over many
rounds (with decreasing probabilities)
34. Differential Cryptanalysis
perform attack by repeatedly encrypting plaintext pairs
with known input XOR until obtain desired output XOR
when found
can then deduce keys values for the rounds
if intermediate rounds match required XOR have a right pair
if not then have a wrong pair, relative ratio is S/N for attack
right pairs suggest same key bits
wrong pairs give random values
for large numbers of rounds, probability is so low that
more pairs are required than exist with 64-bit inputs
Biham and Shamir have shown how a 13-round iterated
characteristic can break the full 16-round DES
35. Linear Cryptanalysis
another recent development
also a statistical method
must be iterated over rounds, with
decreasing probabilities
developed by Matsui et al in early 90's
based on finding linear approximations
can attack DES with 243 known plaintexts,
easier but still in practise infeasible
36. Linear Cryptanalysis
find linear approximations with prob p != ½
P[i1,i2,...,ia] ⊕ C[j1,j2,...,jb] =
K[k1,k2,...,kc]
where ia,jb,kc are bit locations in P,C,K
gives linear equation for key bits
get one key bit using max likelihood alg
using a large number of trial encryptions
effectiveness given by:
|p–1/2|
37. DES Design Criteria
as reported by Coppersmith in [COPP94]
7 criteria for S-boxes provide for
non-linearity
resistance to differential cryptanalysis
good confusion
3 criteria for permutation P provide for
increased diffusion
38. Block Cipher Design
basic principles still like Feistel’s in 1970’s
number of rounds
more is better, exhaustive search best attack
function f:
provides “confusion”, is nonlinear, avalanche
have issues of how S-boxes are selected
key schedule
complex subkey creation, key avalanche
39. Summary
have considered:
block vs stream ciphers
Feistel cipher design & structure
DES
• details
• strength
Differential & Linear Cryptanalysis
block cipher design principles
Editor's Notes
Lecture slides by Lawrie Brown for “Cryptography and Network Security”, 5/e, by William Stallings, Chapter 3 – “Block Ciphers and the Data Encryption Standard”.
Intro quote.
The objective of this chapter is to illustrate the principles of modern symmetric ciphers. For this purpose, we focus on the most widely used symmetric cipher: the Data Encryption Standard (DES). Although numerous symmetric ciphers have been developed since the introduction of DES, and although it is destined to be replaced by the Advanced Encryption Standard (AES), DES remains the most important such algorithm. Further, a detailed study of DES provides an understanding of the principles used in other symmetric ciphers. This chapter begins with a discussion of the general principles of symmetric block ciphers. Next, we cover full DES. Following this look at a specific algorithm, we return to a more general discussion of block cipher design.
Block ciphers work a on block / word at a time, which is some number of bits. All of these bits have to be available before the block can be processed. Stream ciphers work on a bit or byte of the message at a time, hence process it as a “stream”. Block ciphers are currently better analysed, and seem to have a broader range of applications, hence focus on them.
A block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length. Typically, a block size of 64 or 128 bits is used. As with a stream cipher, the two users share a symmetric encryption key (Figure 3.1b). A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. In the ideal case, a one-time pad version of the Vernam cipher would be used (Figure 2.7), in which the keystream (k ) is as long as the plaintext bit stream (p).
Most symmetric block encryption algorithms in current use are based on a structure referred to as a Feistel block cipher. A block cipher operates on a plaintext block of n bits to produce a ciphertext block of n bits. An arbitrary reversible substitution cipher for a large block size is not practical, however, from an implementation and performance point of view. In general, for an n-bit general substitution block cipher, the size of the key is n x 2n. For a 64-bit block, which is a desirable length to thwart statistical attacks, the key size is 64x 264 = 270 = 1021 bits. In considering these difficulties, Feistel points out that what is needed is an approximation to the ideal block cipher system for large n, built up out of components that are easily realizable.
Feistel refers to an n-bit general substitution as an ideal block cipher, because it allows for the maximum number of possible encryption mappings from the plaintext to ciphertext block. A 4-bit input produces one of 16 possible input states, which is mapped by the substitution cipher into a unique one of 16 possible output states, each of which is represented by 4 ciphertext bits. The encryption and decryption mappings can be defined by a tabulation, as shown in Stallings Figure 3.2. It illustrates a tiny 4-bit substitution to show that each possible input can be arbitrarily mapped to any output - which is why its complexity grows so rapidly.
Feistel proposed that we can approximate the ideal block cipher by utilizing the concept of a product cipher, which is the execution of two or more simple ciphers in sequence in such a way that the final result or product is cryptographically stronger than any of the component ciphers. In particular, Feistel proposed the use of a cipher that alternates substitutions and permutations, as a practical application of a proposal by Claude Shannon. Claude Shannon’s 1949 paper has the key ideas that led to the development of modern block ciphers. Critically, it was the technique of layering groups of S-boxes separated by a larger P-box to form the S-P network, a complex form of a product cipher. He also introduced the ideas of confusion and diffusion, notionally provided by S-boxes and P-boxes (in conjunction with S-boxes).
The terms diffusion and confusion were introduced by Claude Shannon to capture the two basic building blocks for any cryptographic system. Shannon's concern was to thwart cryptanalysis based on statistical analysis. Every block cipher involves a transformation of a block of plaintext into a block of ciphertext, where the transformation depends on the key. The mechanism of diffusion seeks to make the statistical relationship between the plaintext and ciphertext as complex as possible in order to thwart attempts to deduce the key. Confusion seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible, again to thwart attempts to discover the key.
So successful are diffusion and confusion in capturing the essence of the desired attributes of a block cipher that they have become the cornerstone of modern block cipher design.
Horst Feistel, working at IBM Thomas J Watson Research Labs devised a suitable invertible cipher structure in early 70's.
One of Feistel's main contributions was the invention of a suitable structure which adapted Shannon's S-P network in an easily inverted structure. It partitions input block into two halves which are processed through multiple rounds which perform a substitution on left data half, based on round function of right half & subkey, and then have permutation swapping halves. Essentially the same h/w or s/w is used for both encryption and decryption, with just a slight change in how the keys are used. One layer of S-boxes and the following P-box are used to form the round function.
Stallings Figure 3.3 illustrates the classical feistel cipher structure, with data split in 2 halves, processed through a number of rounds which perform a substitution on left half using output of round function on right half & key, and a permutation which swaps halves, as listed previously. The LHS side of this figure shows the flow during encryption, the RHS in decryption.
The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key K. The plaintext block is divided into two halves, L0 and R0. The two halves of the data pass through n rounds of processing and then combine to produce the ciphertext block. Each round i has as inputs Li–1 and Ri–1, derived from the previous round, as well as a subkey Ki, derived from the overall K. In general, the subkeys K are different from K and from each other.
The process of decryption with a Feistel cipher is essentially the same as the encryption process. The rule is as follows: Use the ciphertext as input to the algorithm, but use the subkeys Ki in reverse order. That is, use Kn in the first round, Kn–1 in the second round, and so on until K1 is used in the last round. This is a nice feature because it means we need not implement two different algorithms, one for encryption and one for decryption. See discussion in text for why using the same algorithm with a reversed key order produces the correct result, noting that at every round, the intermediate value of the decryption process is equal to the corresponding value of the encryption process with the two halves of the value swapped.
The exact realization of a Feistel network depends on the choice of the following parameters and design features:
block size - increasing size improves security, but slows cipher
key size - increasing size improves security, makes exhaustive key searching harder, but may slow cipher
number of rounds - increasing number improves security, but slows cipher
subkey generation algorithm - greater complexity can make analysis harder, but slows cipher
round function - greater complexity can make analysis harder, but slows cipher
fast software en/decryption - more recent concern for practical use
ease of analysis - for easier validation & testing of strength
The most widely used private key block cipher, is the Data Encryption Standard (DES). It was adopted in 1977 by the National Bureau of Standards as Federal Information Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit key. The DES enjoys widespread use. It has also been the subject of much controversy its security.
In the late 1960s, IBM set up a research project in computer cryptography led by Horst Feistel. The project concluded in 1971 with the development of the LUCIFER algorithm. LUCIFER is a Feistel block cipher that operates on blocks of 64 bits, using a key size of 128 bits.
Because of the promising results produced by the LUCIFER project, IBM embarked on an effort, headed by Walter Tuchman and Carl Meyer, to develop a marketable commercial encryption product that ideally could be implemented on a single chip. It involved not only IBM researchers but also outside consultants and technical advice from NSA. The outcome of this effort was a refined version of LUCIFER that was more resistant to cryptanalysis but that had a reduced key size of 56 bits, to fit on a single chip.
In 1973, the National Bureau of Standards (NBS) issued a request for proposals for a national cipher standard. IBM submitted the modified LUCIFER. It was by far the best algorithm proposed and was adopted in 1977 as the Data Encryption Standard.
Before its adoption as a standard, the proposed DES was subjected to intense & continuing criticism over the size of its key & the classified design criteria.
Recent analysis has shown despite this controversy, that DES is well designed. DES is theoretically broken using Differential or Linear Cryptanalysis but in practise is unlikely to be a problem yet. Also rapid advances in computing speed though have rendered the 56 bit key susceptible to exhaustive key search, as predicted by Diffie & Hellman.
DES has flourished and is widely used, especially in financial applications. It is still standardized for legacy systems, with either AES or triple DES for new applications.
The overall scheme for DES encryption is illustrated in Stallings Figure 3.4, which takes as input 64-bits of data and of key.
The left side shows the basic process for enciphering a 64-bit data block which consists of:
- an initial permutation (IP) which shuffles the 64-bit input block
- 16 rounds of a complex key dependent round function involving substitutions & permutations
- a final permutation, being the inverse of IP
The right side shows the handling of the 56-bit key and consists of:
- an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves
- 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves
The initial permutation and its inverse are defined by tables, as shown in Stallings Tables 3.2a and 3.2b, respectively. The tables are to be interpreted as follows. The input to a table consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64. Each entry in the permutation table indicates the position of a numbered input bit in the output, which also consists of 64 bits.
Note that the bit numbering for DES reflects IBM mainframe practice, and is the opposite of what we now mostly use - so be careful! Numbers from Bit 1 (leftmost, most significant) to bit 32/48/64 etc (rightmost, least significant).
For example, a 64-bit plaintext value of “675a6967 5e5a6b5a” (written in left & right halves) after permuting with IP becomes “ffb2194d 004df6fb”. Note that example values are specified using hexadecimal.
We now review the internal structure of the DES round function F, which takes R half & subkey, and processes them. The round key Ki is 48 bits. The R input is 32 bits. This R input is first expanded to 48 bits by using a table that defines a permutation plus an expansion that involves duplication of 16 of the R bits (Table 3.2c). The resulting 48 bits are XORed with Ki This 48-bit result passes through a substitution function that produces a 32-bit output, which is permuted as defined by Table 3.2d. This follows the classic structure for a feistel cipher.
Note that the s-boxes provide the “confusion” of data and key values, whilst the permutation P then spreads this as widely as possible, so each S-box output affects as many S-box inputs in the next round as possible, giving “diffusion”.
Stallings Figure 3.7 illustrates the internal structure of the DES round function F. The R input is first expanded to 48 bits by using expansion table E that defines a permutation plus an expansion that involves duplication of 16 of the R bits (Stallings Table 3.2c). The resulting 48 bits are XORed with key Ki . This 48-bit result passes through a substitution function comprising 8 S-boxes which each map 6 input bits to 4 output bits, producing a 32-bit output, which is then permuted by permutation P as defined by Stallings Table 3.2d.
The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and produces 4 bits as output. These transformations are defined in Stallings Table 3.3, which is interpreted as follows: The first and last bits of the input to box Si form a 2-bit binary number to select one of four substitutions defined by the four rows in the table for Si. The middle four bits select one of the sixteen columns. The decimal value in the cell selected by the row and column is then converted to its 4-bit representation to produce the output. For example, in S1, for input 011001, the row is 01 (row 1) and the column is 1100 (column 12). The value in row 1, column 12 is 9, so the output is 1001.
The example lists 8 6-bit values (ie 18 in hex is 011000 in binary, 09 hex is 001001 binary, 12 hex is 010010 binary, 3d hex is 111101 binary etc), each of which is replaced following the process detailed above using the appropriate S-box. ie
S1(011000) lookup row 00 col 1100 in S1 to get 5
S2(001001) lookup row 01 col 0100 in S2 to get 15 = f in hex
S3(010010) lookup row 00 col 1001 in S3 to get 13 = d in hex
S4(111101) lookup row 11 col 1110 in S4 to get 2 etc
The DES Key Schedule generates the subkeys needed for each data encryption round. A 64-bit key is used as input to the algorithm, though every eighth bit is ignored, as indicated by the lack of shading in Table 3.4a. It is first processed by Permuted Choice One (Stallings Table 3.4b). The resulting 56-bit key is then treated as two 28-bit quantities C & D. In each round, these are separately processed through a circular left shift (rotation) of 1 or 2 bits as shown in Stallings Table 3.4d. These shifted values serve as input to the next round of the key schedule. They also serve as input to Permuted Choice Two (Stallings Table 3.4c), which produces a 48-bit output that serves as input to the round function F.
The 56 bit key size comes from security considerations as we know now. It was big enough so that an exhaustive key search was about as hard as the best direct attack (a form of differential cryptanalysis called a T-attack, known by the IBM & NSA researchers), but no bigger. The extra 8 bits were then used as parity (error detecting) bits, which makes sense given the original design use for hardware communications links. However we hit an incompatibility with simple s/w implementations since the top bit in each byte is 0 (since ASCII only uses 7 bits), but the DES key schedule throws away the bottom bit! A good implementation needs to be cleverer!
As with any Feistel cipher, DES decryption uses the same algorithm as encryption except that the subkeys are used in reverse order SK16 .. SK1.
If you trace through the DES overview diagram can see how each decryption step top to bottom with reversed subkeys, undoes the equivalent encryption step moving from bottom to top.
Can now work through an example, and consider some of its implications. In this example, the plaintext is a hexadecimal palindrome, with:
Plaintext: 02468aceeca86420
Key: 0f1571c947d9e859
Ciphertext: da02ce3a89ecac3b
Table 3.5 shows the progression of the algorithm. The first row shows the 32-bit values of the left and right halves of data after the initial permutation. The next 16 rows show the results after each round. Also shown is the value of the 48-bit subkey generated for each round. The final row shows the left and right-hand values after the inverse initial permutation. These two values combined form the ciphertext.
A desirable property of any encryption algorithm is that a small change in either the plaintext or the key should produce a significant change in the ciphertext. In particular, a change in one bit of the plaintext or one bit of the key should produce a change in many bits of the ciphertext. This is referred to as the avalanche effect. Using the example from Table 3.5, Table 3.6 shows the result when the fourth bit of the plaintext is changed, so that the plaintext is 12468aceeca86420. The second column of the table shows the intermediate 64-bit values at the end of each round for the two plaintexts. The third column shows the number of bits that differ between the two intermediate values. The table shows that after just three rounds, 18 bits differ between the two blocks. On completion, the two ciphertexts differ in 32 bit positions. Table 3.7 in the text shows a similar test using the original plaintext of with two keys that differ in only the fourth bit position. Again, the results show that about half of the bits in the ciphertext differ and that the avalanche effect is pronounced after just a few rounds.
A desirable property of any encryption algorithm is that a small change in either the plaintext or the key should produce a significant change in the ciphertext. In particular, a change in one bit of the plaintext or one bit of the key should produce a change in many bits of the ciphertext. If the change were small, this might provide a way to reduce the size of the plaintext or key space to be searched. DES exhibits a strong avalanche effect, as may be seen in Stallings Table 3.5.
Since its adoption as a federal standard, there have been lingering concerns about the level of security provided by DES in two areas: key size and the nature of the algorithm.
With a key length of 56 bits, there are 256 possible keys, which is approximately 7.2*1016 keys. Thus a brute-force attack appeared impractical.
However DES was finally and definitively proved insecure in July 1998, when the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000. The attack took less than three days. The EFF has published a detailed description of the machine, enabling others to build their own cracker [EFF98].
There have been other demonstrated breaks of the DES using both large networks of computers & dedicated h/w, including:
- 1997 on a large network of computers in a few months
- 1998 on dedicated h/w (EFF) in a few days
- 1999 above combined in 22hrs!
It is important to note that there is more to a key-search attack than simply running through all possible keys. Unless known plaintext is provided, the analyst must be able to recognize plaintext as plaintext.
Clearly must now consider alternatives to DES, the most important of which are AES and triple DES.
Another concern is the possibility that cryptanalysis is possible by exploiting the characteristics of the DES algorithm. The focus of concern has been on the eight substitution tables, or S-boxes, that are used in each iteration. These techniques utilise some deep structure of the cipher by gathering information about encryptions so that eventually you can recover some/all of the sub-key bits, and then exhaustively search for the rest if necessary. Generally these are statistical attacks which depend on the amount of information gathered for their likelihood of success. Attacks of this form include differential cryptanalysis. linear cryptanalysis, and related key attacks.
We will discuss timing attacks in more detail later, as they relate to public-key algorithms. However, the issue may also be relevant for symmetric ciphers. A timing attack is one in which information about the key or the plaintext is obtained by observing how long it takes a given implementation to perform decryptions on various ciphertexts. A timing attack exploits the fact that an encryption or decryption algorithm often takes slightly different amounts of time on different inputs. The AES analysis process has highlighted this attack approach, and showed that it is a concern particularly with smartcard implementations, though DES appears to be fairly resistant to a successful timing attack.
Biham & Shamir show Differential Cryptanalysis can be successfully used to cryptanalyse the DES with an effort on the order of 247 encryptions, requiring 247 chosen plaintexts. Although 247 is certainly significantly less than 255, the need for the adversary to find 247 chosen plaintexts makes this attack of only theoretical interest. They also demonstrated this form of attack on a variety of encryption algorithms and hash functions.
Differential cryptanalysis was known to the IBM DES design team as early as 1974 (as a T attack), and influenced the design of the S-boxes and the permutation P to improve its resistance to it. Compare DES’s security with the cryptanalysis of an eight-round LUCIFER algorithm which requires only 256 chosen plaintexts, verses an attack on an eight-round version of DES requires 214 chosen plaintexts.
The differential cryptanalysis attack is complex. The rationale behind differential cryptanalysis is to observe the behavior of pairs of text blocks evolving along each round of the cipher, instead of observing the evolution of a single text block. Each round of DES maps the right-hand input into the left-hand output and sets the right-hand output to be a function of the left-hand input and the subkey for this round, which means you cannot trace values back through cipher without knowing the value of the key. Differential Cryptanalysis compares two related pairs of encryptions, which can leak information about the key, given a sufficiently large number of suitable pairs.
This attack is known as Differential Cryptanalysis because the analysis compares differences between two related encryptions, and looks for a known difference in leading to a known difference out with some (pretty small but still significant) probability. If a number of such differences are determined, it is feasible to determine the subkey used in the function f.
In differential cryptanalysis, we start with two messages, m and m', with a known XOR difference dm = m xor m', and consider the difference between the intermediate message halves: dm = m xor m'. Then we have the equation from Stallings section 3.4 which shows how this removes the influence of the key, hence enabling the analysis. Suppose that many pairs of inputs to f with the same difference yield the same output difference if the same subkey is used. To put this more precisely, let us say that X may cause Y with probability p, if for a fraction p of the pairs in which the input XOR is X, the output XOR equals Y. We want to suppose that there are a number of values of X that have high probability of causing a particular output difference.
The overall strategy of differential cryptanalysis is based on these considerations for a single round. The procedure is to begin with two plaintext messages m and m’ with a given difference and trace through a probable pattern of differences after each round to yield a probable difference for the ciphertext. You submit m and m’ for encryption to determine the actual difference under the unknown key and compare the result to the probable difference. If there is a match, then suspect that all the probable patterns at all the intermediate rounds are correct. With that assumption, can make some deductions about the key bits. This procedure must be repeated many times to determine all the key bits.
Stallings Figure 3.7 illustrates the propagation of differences through three rounds of DES. The probabilities shown on the right refer to the probability that a given set of intermediate differences will appear as a function of the input differences. Overall, after three rounds the probability that the output difference is as shown is equal to 0.25*1*0.25=0.0625. Since the output difference is the same as the input, this 3 round pattern can be iterated over a larger number of rounds, with probabilities multiplying to be successively smaller.
Differential Cryptanalysis works by performing the attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR. See [BIHA93] for detailed descriptions. Attack on full DES requires an effort on the order of 247 encryptions, requiring 247 chosen plaintexts to be encrypted, with a considerable amount of analysis – in practise exhaustive search is still easier, even though up to 255 encryptions are required for this.
A more recent development is linear cryptanalysis. This attack is based on finding linear approximations to describe the transformations performed in DES. This method can find a DES key given 2^43 known plaintexts, as compared to 2^47 chosen plaintexts for differential cryptanalysis. Although this is a minor improvement, because it may be easier to acquire known plaintext rather than chosen plaintext, it still leaves linear cryptanalysis infeasible as an attack on DES. Again, this attack uses structure not seen before. So far, little work has been done by other groups to validate the linear cryptanalytic approach.
The objective of linear cryptanalysis is to find an effective linear equation relating some plaintext, ciphertext and key bits that holds with probability p<>0.5 as shown. Once a proposed relation is determined, the procedure is to compute the results of the left-hand side of the equation for a large number of plaintext-ciphertext pairs, in order to determine whether the sum of the key bits is 0 or 1, thus giving 1 bit of info about them. This is repeated for other equations and many pairs to derive some of the key bit values. Because we are dealing with linear equations, the problem can be approached one round of the cipher at a time, with the results combined. See [MATS93] for details.
Although much progress has been made in designing block ciphers that are cryptographically strong, the basic principles have not changed all that much since the work of Feistel and the DES design team in the early 1970s. Some of the criteria used in the design of DES were reported in [COPP94], and focused on the design of the S-boxes and on the P function that distributes the output of the S boxes, as summarized above. See text for further details.
The cryptographic strength of a Feistel cipher derives from three aspects of the design: the number of rounds, the function F, and the key schedule algorithm. Briefly discuss these.
The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F. In general, the criterion should be that the number of rounds is chosen so that known cryptanalytic efforts require greater effort than a simple brute-force key search attack. This criterion is attractive because it makes it easy to judge the strength of an algorithm and to compare different algorithms.
The function F provides the element of confusion in a Feistel cipher, want it to be difficult to “unscramble” the substitution performed by F. One obvious criterion is that F be nonlinear. The more nonlinear F, the more difficult any type of cryptanalysis will be. We would like it to have good avalanche properties, or even the strict avalanche criterion (SAC). Another criterion is the bit independence criterion (BIC). One of the most intense areas of research in the field of symmetric block ciphers is that of S-box design. Would like any change to the input vector to an S-box to result in random-looking changes to the output. The relationship should be nonlinear and difficult to approximate with linear functions.
A final area of block cipher design, and one that has received less attention than S-box design, is the key schedule algorithm. With any Feistel block cipher, the key schedule is used to generate a subkey for each round. Would like to select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty of working back to the main key. The key schedule should guarantee key/ciphertext Strict Avalanche Criterion and Bit Independence Criterion.